Adoptable Cookbooks List

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

audit-cis

This cookbook implements recipes that perform a Chef Audit Mode check for the CIS Benchmarks. Each recipe represents an entire benchmark's implementation. They are intended to be run wholesale against the target platform. The check may fail depending on the base OS installation.

This cookbook is intended to be used only with Chef's audit mode and should not make any changes to the system. Implementation of the benchmarks is up to individuals and organizations security policy. This cookbook does not perform any sort of "scoring" according to the CIS Benchmarks.

This cookbook is not supported or endorsed by the Center for Internet Security or its affiliates. We may opt

Requirements

Chef 12.1.0 or higher.

Platform

CentOS 7, 64 bit

Recipe Naming

Recipes are named according to the benchmark that they check. For example, the CIS CentOS Linux 7 Benchmark v1.0.0 recipe is named centos7-100. If a v1.0.1 is released, a new recipe would be added, centos7-101.

The CIS publishes separate benchmarks across platform families. These are implemented as separate recipes in this cookbook. For example, there are benchmarks for CentOS 7 and RHEL 7. While these distributions are binary compatible, they are implemented in separate benchmarks, and separate recipes in this cookbook.

Recipes will be updated to the latest benchmark as is deemed reasonable and for newer point releases of individual distributions. For example, the CentOS 7 benchmark may be equally applicable on CentOS 7.1.

Usage

Add the recipe for the desired benchmark to the appropriate nodes and enable audit mode in /etc/chef/client.rb.

audit_mode :enabled

Failures mean that the node does not comply with the benchmark's validation rules. Depending on site-specific security policies and business requirements, failures can be safe to ignore. In this case it may be desirable to implement Chef Analytics rules to filter and notify only on failures that are in scope.

Roadmap

Other platform benchmarks will be added in the future. We will target the following next:

CentOS 6

Ubuntu 14.04

Ubuntu 12.04

It is not yet determined whether other non-platform benchmarks will be implemented (e.g., Apache HTTPD) in this cookbook, or in another one.

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

There are no cookbooks that are contingent upon this one.

v0.3.0

Implementation of audit mode control groups for all sections of CIS Benchmark for CentOS 7